Choose the carrot … the stick could hurt

finesA factor which is concentrating the minds of data protection officers is the level of fines that the Information Commissioner’s Office (ICO) can impose on companies and organisations found to have committed a breach of the GDPR.

There are contrasting views on the likelihood that the ICO will wield this power fully and often, but the reaility is that it exists. “The potential cost in pure financial terms is mind-boggling,” said Stephen Grant, a corporate solicitor with Scottish law firm Wright, Johnston & Mackenzie LLP. “We are talking about figures that will make companies sit up and pay attention.”

Currently, the maximum fine that the ICO can impose is £500,000. Under the GDPR, that increases to £20m, or 4% of a company’s global annual turnover, whichever is greater.

The implication of this change hit home last year, when cybersecurity firm NCC Group published the results of its extrapolation of previous ICO fines based on the powers it has under the GDPR. The company said that the total of fines imposed by the ICO in 2016 whould have risen from £880,500 to £69m if the GDPR was in force.

Currently the ICO can hand out fines of up to £500,000 for contraventions of the Data Protection Act 1998 (DPA), including data breaches, nuisance calls, and publication of private data. Once the GDPR comes into force on 25 May 2018 there will be a two tiered sanction regime – with lesser incidents subject to a maximum fine of either €10m or 2% of an organisation’s global turnover. More significant contraventions will lead to fines of €20m or 4% of turnover, whichever is greater.

NCC looked at ICO fines from 2015 and 2016. Using the current maximum penalty as a guide, it created a model to determine what tier the fine would fall into and what a maximum post-GDPR fine would likely be. For example, Talk Talk’s 2016 fine of £400,000 for security failings that allowed cyber attackers to access customer data would rise significantly to £59m under GDPR, it concluded.

Roger Rawlinson, managing director of NCC Group’s Assurance Division, said: “GDPR isn’t just about financial penalties, but this analysis is a reminder that there will be significant commercial impacts for organisations that fall foul of the regulations.

“Businesses should have already started preparations for GDPR by now. Most organisations will have to fundamentally change the way they organise, manage and protect data. A shift of this size will need buy-in from the board.

“We recommend that companies use GDPR as an opportunity to review their entire security strategy. Cyber resilience is about effective response and remediation. Understanding that attacks will happen and ensuring appropriate reactions is crucial.”

Following the NCC report, Information Commissioner Elizabeth Denham wrote in a blog post: “This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that. Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point.

“It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm,” she wrote. “The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”

Denham said that the ICO’s Information Rights Strategy, a “blueprint” for her five-year term in office, confirmed that commitment and she pointed to its record of issuing fines as a last resort; in the year 2016/17, the ICO concluded 17,300 cases but only 16 of those resulted in fines for the organisations involved.

“Predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense,” wrote Denham. “Don’t get me wrong, the UK fought for increased powers when the GDPR was being drawn up. Heavy fines for serious breaches reflect just how important personal data is in a 21st century world.

“But we intend to use those powers proportionately and judiciously. And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective. While these will not hit organisations in the pocket – their reputations will suffer a significant blow. And you can’t insure against that.”

Wright, Johnston & Mackenzie’s Stephen Grant said that the financial cost of non-compliance was only part of the picture: “Expect the ICO to do much more ‘naming and shaming’.”

And he pointed out that mitigating factors – such as proactive steps taken by a company – would be taken into account by the ICO. But Grant cautioned that the financial impact of an ICO decision would not necessarily be limited to the fine it imposed: “Affected individuals can also sue direct for compensation – both for actual damage or loss they suffer, and also for distress caused.”

Stephen Bailey, associate director at NCC Group, underline the importance of being able to demonstrate responsiveness: “Businesses should ensure that any data breaches, or even suspected breaches, of any size are tracked in a breach log. Having a record of exactly when a breach took place, how it happened, the decision that was made in response and who signed off this decision, will prove a business is at least attempting to be compliant, even if the guidelines are still a little vague at the moment.

“The general consensus around GDPR is ‘the more, the better’, and therefore those wishing to demonstrate intent beyond compliance may even wish to go one step further and link any recorded breach to the steps taken to prevent future breaches.

“In order to offer full transparency of any potential breaches of data you are responsible for, it would be wise to have a risk-based approach to reviewing and/or developing contracts with suppliers which agree access to their own breach logs.

“This would also provide an opportunity to monitor for vulnerabilities and flag when a third- party’s security posture might be deteriorating or no longer fit for purpose – any alarming findings will highlight when it is necessary to make an intervention, that could even mean replacing that supplier, and can help prevent a severe cyber attack.”

How these companies deal with the GDPR could shape future for the rest of business – Stephen Grant, Wright, Johnston & Mackenzie.

Just the beginning

While all eyes are on 25 May, the GDPR’s impact is set to evolve over the coming years, says Wright, Johnston & Mackenzie’s Stephen Grant.

“The Article 29 Working Party, which is made up of representatives of the regulators from each member state, provides independent advice to the European Commission on data protection,” he said. “Its aim has been to harmonise and streamline implemention.”

From the day of enforcement, however, it becomes the European Data Protection Board. Its membership remains the same, but its influence over data protection becomes stronger. Previously, it issued non-binding opinions but the new board will have the legal power to make final decisions on issues such as disputes within the group, should regulators from different countries disagree with each other.

In a further indication that the GDPR’s impact will evolve, Isabelle Falque-Pierrotin, the working party’s former chair and the newly appointed president of France’s National Commission for Informatics and Liberties, the country’s data protection authority, told France’s Les Echoes newspaper that 25 May will not signal an immediate clampdown: “We will continue to support companies for several months,” she said.

A wake up call

A Belgian court has threatened Facebook with a fine of up to €100m if it continues to “break privacy laws” by tracking people on third- party websites.

In a case brought by Belgium’s privacy watchdog, the court also ruled that the social network had to delete all data it had gathered “illegally” on Belgian citizens, including people who were not Facebook users themselves. Facebook said the technologies it used were in line with industry standards and it gave users the right to opt out of data collection on websites and applications being used for advertisements.

Wright, Johnston & Mackenzie’s Stephen Grant said companies like Facebook and Google, which will also be hit be the GDPR’s ‘right to be forgotten’ principle, face “huge organisational change”. He said: “How these companies deal with the GDPR could shape future for the rest of business.”